TWI841070B - Attack prevention method and access point using the same - Google Patents
Attack prevention method and access point using the same Download PDFInfo
- Publication number
- TWI841070B TWI841070B TW111144557A TW111144557A TWI841070B TW I841070 B TWI841070 B TW I841070B TW 111144557 A TW111144557 A TW 111144557A TW 111144557 A TW111144557 A TW 111144557A TW I841070 B TWI841070 B TW I841070B
- Authority
- TW
- Taiwan
- Prior art keywords
- authentication
- sta
- request frame
- frame
- response
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000002265 prevention Effects 0.000 title abstract description 22
- 230000004044 response Effects 0.000 claims abstract description 51
- 238000011084 recovery Methods 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 33
- 230000008569 process Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Abstract
Description
本發明涉及無線通訊,更具體地,涉及一種用於處理認證泛洪攻擊、關聯泛洪攻擊和/或重新關聯泛洪攻擊的防止攻擊方法以及使用該防止攻擊方法的接入點。 The present invention relates to wireless communications, and more specifically, to an attack prevention method for processing authentication flood attacks, association flood attacks and/or reassociation flood attacks, and an access point using the attack prevention method.
802.11幀的三種類型包括管理幀、控制幀和資料幀。無線用戶端使用管理幀(例如認證(authentication)幀、取消認證幀、關聯請求幀、重新關聯請求幀來查找並連接到正確的Wi-Fi網路,並在成功關聯後管理用戶端連接。如果沒有受保護管理幀(Protected Management Frame,PMF)功能,所有管理幀都會在開放區域中被不受保護的發送。發送不受保護的幀會使連接容易受到攻擊。PMF是提供完整性(integrity)保護的功能,用於單播和廣播管理幀,並且還以與資料相同的方式對單播管理幀進行加密以提供機密性(confidentiality)。但是,PMF標準對於如何防止認證請求泛洪攻擊沒有明確的定義。因此,接入點(access point,AP)可能會頻繁地向非AP站點(station,STA)發送安全關聯(Security Association,SA)查詢請求以檢查非AP STA是否處於活動狀態。此外,AP和連接的非AP STA之間可能存在互通性測試(interoperability test,IOT)問題,以使得無法有效的防止認證泛洪攻擊。 The three types of 802.11 frames include management frames, control frames, and data frames. Wireless clients use management frames (e.g., authentication frames, deauthentication frames, association request frames, reassociation request frames) to find and connect to the correct Wi-Fi network and manage client connections after successful association. Without the Protected Management Frame (PMF) feature, all management frames are sent unprotected in open areas. Sending unprotected frames makes the connection vulnerable to attacks. PMF is a feature that provides integrity protection for unicast and broadcast management frames, and also encrypts unicast management frames in the same way as data to provide confidentiality. However, the PMF standard does not clearly define how to prevent authentication request flooding attacks. Therefore, access points (APs) must ensure that the PMF standard is protected from authentication request flooding attacks. A wireless access point (AP) may frequently send security association (SA) query requests to a non-AP station (STA) to check whether the non-AP STA is active. In addition, there may be interoperability test (IOT) issues between the AP and the connected non-AP STA, making it impossible to effectively prevent authentication flood attacks.
此外,在AP與非AP STA之間的連接被建立成功後,非AP STA可以進入省電模式。處於省電模式的非AP STA不會向AP發送認證請求幀、關聯請求幀和/或重新關聯請求幀。然而,PMF標準並沒有明確定義在非AP STA操作在省電 模式下時AP如何處理認證請求幀、關聯請求幀和/或重新關聯請求幀。 In addition, after the connection between the AP and the non-AP STA is successfully established, the non-AP STA can enter the power saving mode. The non-AP STA in the power saving mode will not send authentication request frames, association request frames and/or reassociation request frames to the AP. However, the PMF standard does not clearly define how the AP handles authentication request frames, association request frames and/or reassociation request frames when the non-AP STA operates in the power saving mode.
本發明的目的之一在於提供一種防止攻擊方法,用於處理認證泛洪攻擊、關聯泛洪攻擊和/或重新關聯泛洪攻擊的防止攻擊方法,以及使用該防止攻擊方法的接入點。 One of the purposes of the present invention is to provide an attack prevention method for processing authentication flood attacks, association flood attacks and/or reassociation flood attacks, and an access point using the attack prevention method.
根據本發明的第一方面,公開了一種示例性防止攻擊方法。示例性的防止攻擊方法包括:接收認證請求幀;以及回應接收到認證請求幀,回復認證回應幀,該認證回應幀被發送給非接入點(non-AP)站點(STA),其中認證回應幀包括攜帶認證恢復(Comeback)時間的超時間隔(timeout interval)元素。 According to the first aspect of the present invention, an exemplary method for preventing attacks is disclosed. The exemplary method for preventing attacks includes: receiving an authentication request frame; and in response to receiving the authentication request frame, replying an authentication response frame, the authentication response frame being sent to a non-access point (non-AP) station (STA), wherein the authentication response frame includes a timeout interval element carrying an authentication comeback time.
根據本發明的第二方面,公開了一種示例性防止攻擊方法。該示例性防止攻擊方法包括:忽略在連接的非接入點(non-AP)站點(STA)操作在省電模式下的時段內接收到的每個特定請求幀,其中每個特定請求幀包括認證請求幀、關聯請求幀和重新關聯請求幀中的一個。 According to a second aspect of the present invention, an exemplary method for preventing attacks is disclosed. The exemplary method for preventing attacks includes: ignoring each specific request frame received during a period when a connected non-access point (non-AP) station (STA) operates in a power saving mode, wherein each specific request frame includes one of an authentication request frame, an association request frame, and a reassociation request frame.
根據本發明的第三方面,公開了一種能夠防止攻擊的示例性接入點(AP)。能夠防止攻擊的示例性AP包括網路介面電路和控制電路。網路介面電路用於接收認證請求幀。控制電路用於回應認證請求幀生成認證回應幀,並指示網路介面電路向非接入點(non-AP)站點(STA)發送認證回應幀,其中認證回應幀包括超時間隔元素,該超時間隔元素攜帶認證恢復時間。 According to a third aspect of the present invention, an exemplary access point (AP) capable of preventing attacks is disclosed. The exemplary AP capable of preventing attacks includes a network interface circuit and a control circuit. The network interface circuit is used to receive an authentication request frame. The control circuit is used to generate an authentication response frame in response to the authentication request frame, and instruct the network interface circuit to send an authentication response frame to a non-access point (non-AP) station (STA), wherein the authentication response frame includes a timeout element, and the timeout element carries an authentication recovery time.
根據本發明的第四方面,公開了一種能夠防止攻擊的示例性接入點(AP)。能夠防止攻擊的示例性AP包括網路介面電路和控制電路。控制電路被配置為忽略在連接的非接入點(non-AP)站點(STA)操作在省電模式下的時段內網路介面電路接收到的每個特定請求幀,其中每個特定請求幀包括認證請求幀、關聯請求幀和重新關聯請求幀中的一個。 According to a fourth aspect of the present invention, an exemplary access point (AP) capable of preventing attacks is disclosed. The exemplary AP capable of preventing attacks includes a network interface circuit and a control circuit. The control circuit is configured to ignore each specific request frame received by the network interface circuit during a period when a connected non-access point (non-AP) station (STA) operates in a power saving mode, wherein each specific request frame includes one of an authentication request frame, an association request frame, and a reassociation request frame.
在閱讀了在各種附圖和附圖中示出的優選實施例的以下詳細描述之後,本發明的這些和其他目的對於所屬領域普通技術人員無疑將變得顯而易見。 These and other objects of the present invention will no doubt become apparent to those of ordinary skill in the art after reading the following detailed description of the preferred embodiments illustrated in the various drawings and accompanying figures.
100:無線通訊系統 100: Wireless communication system
102:無線通訊設備,AP 102: Wireless communication equipment, AP
104:無線通訊設備,非AP STA 104: Wireless communication equipment, non-AP STA
114:記憶體 114: Memory
112:處理器 112: Processor
116:控制電路 116: Control circuit
118:網路介面電路 118: Network interface circuit
120:TX電路 120:TX circuit
122:RX電路 122: RX circuit
第1圖是示出根據本發明實施例的無線通訊系統的示意圖。 FIG. 1 is a schematic diagram showing a wireless communication system according to an embodiment of the present invention.
第2圖是示出根據本發明實施例的AP採用的第一種防止攻擊方案的過程交互的時序圖。 Figure 2 is a timing diagram showing the process interaction of the first attack prevention scheme adopted by the AP according to an embodiment of the present invention.
第3圖是示出根據本發明實施例的AP採用的第二防止攻擊方案的過程交互的時序圖。 Figure 3 is a timing diagram showing the process interaction of the second attack prevention scheme adopted by the AP according to an embodiment of the present invention.
在以下描述和請求項中使用了某些術語,它們指代特定的組件。如所屬領域技術人員將理解的,電子設備製造商可以用不同的名稱來指代一個組件。本申請無意區分名稱不同但功能相同的組件。在以下描述和請求項中,術語“包括”和“包含”以開放式方式使用,因此應解釋為“包括但不限於……”。此外,術語“耦接”旨在表示間接電連接或直接電連接。因此,如果一個設備耦接到另一個設備,則該耦接可以是直接電連接,或通過經由其他設備和連接的間接電連接。 Certain terms are used in the following description and claims that refer to specific components. As will be understood by those skilled in the art, electronic device manufacturers may refer to a component by different names. This application does not intend to distinguish between components that have different names but the same function. In the following description and claims, the terms "including" and "comprising" are used in an open-ended manner and should be interpreted as "including but not limited to...". In addition, the term "coupled" is intended to mean either an indirect electrical connection or a direct electrical connection. Thus, if one device is coupled to another device, the coupling may be a direct electrical connection, or by an indirect electrical connection via other devices and connections.
第1圖是示出根據本發明實施例的無線通訊系統的示意圖。無線通訊系統100包括多個無線通訊設備102和104。例如,無線通訊系統100是無線保真(wireless fidelity,Wi-Fi)系統,包括接入點(access point,AP)和非AP STA。在本發明的一個實施例中,無線通訊設備102為AP,而無線通訊設備104為非AP STA。AP可以採用所提出的防止攻擊方案。為簡潔起見,第1圖中僅示出了兩個無線通 訊設備102和104。在實踐中,無線通訊系統100被允許具有兩個以上的無線通訊設備,包括在同一基本服務集(basic service set,BSS)中的AP和一個以上的非AP STA。 FIG. 1 is a schematic diagram showing a wireless communication system according to an embodiment of the present invention. The wireless communication system 100 includes a plurality of wireless communication devices 102 and 104. For example, the wireless communication system 100 is a wireless fidelity (Wi-Fi) system, including an access point (AP) and a non-AP STA. In one embodiment of the present invention, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. The AP can adopt the proposed attack prevention scheme. For simplicity, only two wireless communication devices 102 and 104 are shown in FIG. 1. In practice, the wireless communication system 100 is allowed to have more than two wireless communication devices, including an AP and more than one non-AP STA in the same basic service set (BSS).
無線通訊設備102包括處理器112、記憶體114、控制電路116和網路介面電路118,其中網路介面電路118包括發送器(TX)電路120和接收器(RX)電路122。記憶體114被佈置為存儲程式碼。處理器112用於載入和執行程式碼以管理無線通訊設備102。控制電路116用於控制與無線通訊設備104的無線通訊。由於無線通訊設備102是AP並且無線通訊設備104是非AP STA,控制電路116控制網路介面電路118的TX電路120處理AP和非AP STA之間的下行鏈路(downlink,DL)流量,並控制網路介面電路118的RX電路122處理AP和非AP STA之間的上行鏈路(uplink,UL)流量。 The wireless communication device 102 includes a processor 112, a memory 114, a control circuit 116, and a network interface circuit 118, wherein the network interface circuit 118 includes a transmitter (TX) circuit 120 and a receiver (RX) circuit 122. The memory 114 is arranged to store program code. The processor 112 is used to load and execute program code to manage the wireless communication device 102. The control circuit 116 is used to control wireless communication with the wireless communication device 104. Since the wireless communication device 102 is an AP and the wireless communication device 104 is a non-AP STA, the control circuit 116 controls the TX circuit 120 of the network interface circuit 118 to process the downlink (DL) traffic between the AP and the non-AP STA, and controls the RX circuit 122 of the network interface circuit 118 to process the uplink (UL) traffic between the AP and the non-AP STA.
應當注意,第1圖中僅示出了與本發明相關的組件。在實踐中,無線通訊設備102可以包括附加組件以實現指定功能。 It should be noted that FIG. 1 only shows components related to the present invention. In practice, the wireless communication device 102 may include additional components to implement specified functions.
在本實施例中,無線通訊設備102為AP,該AP可以支援第一防止攻擊特性和/或第二防止攻擊特性,該第一防止攻擊特性用於處理在認證恢復時間(Authentication Comeback time)指定的超時時段內的認證泛洪攻擊,第二防止攻擊特性用於處理在無線通訊設備104(其為非AP STA)在省電模式下操作的時段內的認證泛洪攻擊、關聯泛洪攻擊、和/或重新關聯泛洪攻擊。參考附圖描述了所提出的第一和第二防止攻擊方案的進一步細節。 In this embodiment, the wireless communication device 102 is an AP, which can support a first attack prevention feature and/or a second attack prevention feature, wherein the first attack prevention feature is used to handle authentication flood attacks within a timeout period specified by the authentication comeback time, and the second attack prevention feature is used to handle authentication flood attacks, association flood attacks, and/or reassociation flood attacks during a period when the wireless communication device 104 (which is a non-AP STA) operates in a power saving mode. Further details of the proposed first and second attack prevention schemes are described with reference to the accompanying drawings.
請結合第2圖參考第1圖。第2圖是示出根據本發明實施例的AP採用的第一種防止攻擊方案的過程交互的時序圖。在第1圖所示的無線通訊系統(例如,Wi-Fi系統)100中,無線通訊設備102為AP,無線通訊設備104為非AP STA。在下文中,術語“無線通訊設備102”和“AP 102”可以互換,並且術語“無線通訊設備104”和“非AP STA 104”可以互換。在AP 102和非AP STA 104之間發起連 接協商過程。例如,連接協商過程可以包括認證流程、關聯流程和可擴展的局域網認證協定(extensible authentication protocol over local area network,EAPOL)流程。在非AP STA 104成功連接到AP 102之後,AP 102的網路介面電路118(具體地,網路介面電路118的RX電路122)接收認證請求幀。在這個例子中,認證請求幀是從攻擊者而不是連接的非AP STA 104發送的。AP 102的控制電路116用於回應於認證請求幀生成認證回應幀,並指示網路介面電路118(特別是網路介面電路118的TX電路120)將認證回應幀發送到非AP STA 104。在本實施例中,認證回應幀的幀體(body)可以包括原因代碼(Reason Code)欄位和超時間隔元素(Timeout Interval element,TIE),其中原因代碼欄位用於指示產生認證回應幀的原因,TIE用於攜帶指定超時時段(timeout period)的認證恢復時間(Authentication Comeback time)。認證回應幀中攜帶認證恢復時間用於通知非AP STA 104在該認證恢復時間內不要發送認證請求,在認證恢復時間之後再發送認證請求。其中,超時時段可以是認證恢復時間的時長,例如第2圖所示。認證恢復時間可以從接收到攻擊者的認證請求幀開始,但本發明不限於此。 Please refer to FIG. 1 in conjunction with FIG. 2. FIG. 2 is a timing diagram showing the process interaction of the first attack prevention scheme adopted by the AP according to an embodiment of the present invention. In the wireless communication system (e.g., Wi-Fi system) 100 shown in FIG. 1, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. In the following, the terms "wireless communication device 102" and "AP 102" can be interchanged, and the terms "wireless communication device 104" and "non-AP STA 104" can be interchanged. A connection negotiation process is initiated between the AP 102 and the non-AP STA 104. For example, the connection negotiation process may include an authentication process, an association process, and an extensible authentication protocol over local area network (EAPOL) process. After the non-AP STA 104 successfully connects to the AP 102, the network interface circuit 118 of the AP 102 (specifically, the RX circuit 122 of the network interface circuit 118) receives the authentication request frame. In this example, the authentication request frame is sent from the attacker rather than the connected non-AP STA 104. The control circuit 116 of the AP 102 is used to generate an authentication response frame in response to the authentication request frame and instruct the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send the authentication response frame to the non-AP STA 104. In this embodiment, the body of the authentication response frame may include a Reason Code field and a Timeout Interval element (TIE), wherein the Reason Code field is used to indicate the reason for generating the authentication response frame, and the TIE is used to carry the Authentication Comeback time of the specified timeout period. The Authentication Comeback time carried in the Authentication Response frame is used to notify the non-AP STA 104 not to send an authentication request within the Authentication Comeback time, and to send an authentication request after the Authentication Comeback time. The timeout period may be the length of the Authentication Comeback time, as shown in FIG. 2, for example. The Authentication Comeback time may start from receiving the attacker's Authentication Request frame, but the present invention is not limited thereto.
AP 102的控制電路116還用於忽略在由認證恢復時間(其被回應於來自攻擊者的認證請求幀而發送的認證回應幀攜帶)指定的超時時段中網路介面電路118(特別的,網路介面電路118的RX電路122)接收的每個認證請求幀。例如,在超時時段到期之前,控制電路116直接丟棄接收到的任何認證請求幀,而不處理接收到的認證請求幀的有效載荷(payload)。這樣可以節省AP資源。又例如,在超時時段到期之前,控制電路116不生成認證回應幀來回應接收到的任何認證請求幀。這樣可以避免不必要的認證回應幀佔用無線介質資源。如第2圖所示,所提出的第一防止攻擊方案保護AP 102在由認證恢復時間指定的超時時段內免受來自攻擊者的認證泛洪攻擊。 The control circuit 116 of the AP 102 is also used to ignore each authentication request frame received by the network interface circuit 118 (particularly, the RX circuit 122 of the network interface circuit 118) within a timeout period specified by the authentication recovery time (which is carried by the authentication response frame sent in response to the authentication request frame from the attacker). For example, before the timeout period expires, the control circuit 116 directly discards any authentication request frame received without processing the payload of the received authentication request frame. This can save AP resources. For another example, before the timeout period expires, the control circuit 116 does not generate an authentication response frame to respond to any authentication request frame received. This can avoid unnecessary authentication response frames from occupying wireless medium resources. As shown in FIG. 2, the proposed first attack prevention scheme protects AP 102 from authentication flooding attacks from an attacker within a timeout period specified by the authentication recovery time.
此外,AP 102的控制電路116還被配置為生成安全關聯 (SecurityAssociation,SA)查詢請求幀並指示網路介面電路118(具體地,網路介面電路118的TX電路120)在由認證恢復時間指定的超時時段內向非AP STA 104發送SA查詢請求幀。支持SA查詢過程並接收SA查詢請求幀的非AP STA 104應以SA查詢回應幀進行響應,除非非AP STA 104不是處於活動狀態(即,當前未與發送SA查詢請求幀的AP102關聯)。在網路介面電路118(具體地,網路介面電路118的RX電路122)在由認證恢復時間指定的超時時段內接收到來自非AP STA 104的具有正確事務識別碼(identifier,ID)的SA查詢回應幀的情況下,控制電路116與非AP STA 104保持連接。在另一種情況下,在網路介面電路118(具體地,網路介面電路118的RX電路122)在由認證恢復時間指定的超時時段內沒有接收到來自非AP STA 104的具有正確事務ID的SA查詢回應幀的情況下,控制電路116生成用於終止Wi-Fi連接的解除認證(deauthentication)幀,並指示網路介面電路118(具體地,網路介面電路118的TX電路120)向非AP STA 104發送解除認證幀。其中,SA查詢請求幀中包括事務ID,如果SA查詢回應幀中的事務ID與SA查詢請求幀中的事務ID相同,則表示SA查詢回應幀具有正確的事務ID。 In addition, the control circuit 116 of the AP 102 is also configured to generate a security association (SA) query request frame and instruct the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send the SA query request frame to the non-AP STA 104 within the timeout period specified by the authentication recovery time. The non-AP STA 104 that supports the SA query process and receives the SA query request frame should respond with a SA query response frame unless the non-AP STA 104 is not in an active state (i.e., not currently associated with the AP 102 that sent the SA query request frame). When the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) receives an SA query response frame with a correct transaction identifier (ID) from the non-AP STA 104 within a timeout period specified by the authentication recovery time, the control circuit 116 maintains the connection with the non-AP STA 104. In another case, when the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) does not receive an SA query response frame with a correct transaction ID from the non-AP STA 104 within the timeout period specified by the authentication recovery time, the control circuit 116 generates a deauthentication frame for terminating the Wi-Fi connection and instructs the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send a deauthentication frame to the non-AP STA 104. The SA query request frame includes a transaction ID, and if the transaction ID in the SA query response frame is the same as the transaction ID in the SA query request frame, it means that the SA query response frame has a correct transaction ID.
如第2圖所示,第一防止攻擊方案具有處理認證泛洪攻擊的明確(explicit)流程,並且可以防止AP和連接的非AP STA之間的IOT問題。 As shown in Figure 2, the first attack prevention scheme has an explicit process for handling authentication flood attacks and can prevent IOT issues between APs and connected non-AP STAs.
請結合第3圖參考第1圖,第3圖是示出根據本發明實施例的AP採用的第二防止攻擊方案的過程交互的時序圖。在第1圖所示的無線通訊系統(例如,Wi-Fi系統)100中,如第1圖所示,無線通訊設備102為AP,無線通訊設備104為非AP STA。在下文中,術語“無線通訊設備102”和“AP 102”可以互換,並且術語“無線通訊設備104”和“非AP 104”可以互換。在AP 102和非AP STA 104之間發起連接協商過程。例如,連接協商過程可以包括認證流程、關聯流程和EAPOL流程。在非AP STA 104成功連接到AP 102之後,在非AP STA 104沒有資料要發送的情況下,非AP STA 104可以進入省電模式(PS=1)。例如,非AP STA 104 可以向AP 102發送幀以指示非AP STA 104操作在省電模式。AP 102的控制電路116被配置為忽略在連接的非AP STA 104操作在省電模式下的時段內由網路介面電路118(具體的,網路介面電路118的RX電路122)接收的每個特定請求幀(例如,認證請求幀、關聯請求幀或重新關聯請求幀)。由於非AP STA 104進入省電模式,所以非AP STA 104將不會向AP 102發送認證請求幀、關聯請求幀和重新關聯請求幀中的任何幀。因此,在連接的非AP STA 104操作在省電模式下的時段內AP 102接收到認證請求幀、關聯請求幀和/或重新關聯請求幀被視為來自攻擊者的泛洪攻擊。 Please refer to FIG. 1 in conjunction with FIG. 3, which is a timing diagram showing the process interaction of the second attack prevention scheme adopted by the AP according to an embodiment of the present invention. In the wireless communication system (e.g., Wi-Fi system) 100 shown in FIG. 1, as shown in FIG. 1, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. In the following, the terms "wireless communication device 102" and "AP 102" can be interchangeable, and the terms "wireless communication device 104" and "non-AP 104" can be interchangeable. A connection negotiation process is initiated between the AP 102 and the non-AP STA 104. For example, the connection negotiation process may include an authentication process, an association process, and an EAPOL process. After the non-AP STA 104 successfully connects to the AP 102, the non-AP STA 104 may enter a power saving mode (PS=1) when the non-AP STA 104 has no data to send. For example, the non-AP STA 104 may send a frame to the AP 102 to indicate that the non-AP STA 104 operates in the power saving mode. The control circuit 116 of the AP 102 is configured to ignore each specific request frame (e.g., an authentication request frame, an association request frame, or a reassociation request frame) received by the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) during the period when the connected non-AP STA 104 operates in the power saving mode. Since the non-AP STA 104 enters the power saving mode, the non-AP STA 104 will not send any of the authentication request frames, association request frames, and reassociation request frames to the AP 102. Therefore, the reception of the authentication request frames, association request frames, and/or reassociation request frames by the AP 102 during the period when the connected non-AP STA 104 operates in the power saving mode is regarded as a flood attack from the attacker.
例如,控制電路116直接丟棄在連接的非AP STA 104操作在省電模式下的時段內(即,在非AP STA 104離開該省電模式(PS=0)之前)接收到的任何認證/關聯/重新關聯請求幀,不處理接收到的認證/關聯/重新關聯請求幀的有效載荷。這樣可以節省AP資源。又例如,控制電路116不產生特定幀以響應在連接的非AP STA 104操作在省電模式(即,在非AP STA 104離開該省電模式(PS=0)之前)下的時段內接收的任何認證/關聯/重新關聯請求幀,其中,特定幀可以是認證回應幀、關聯回應幀、重新關聯回應幀和SA查詢請求幀之一。這樣可以避免不必要的認證回應幀/關聯回應幀/重新關聯回應幀/SA查詢請求幀佔用無線介質資源。此外,由於處於省電模式的非AP STA 104無法回復SA查詢回應幀,因此第二防止攻擊方案阻止AP 102發送SA查詢請求幀,可以防止AP 102意外終止AP 102和非AP STA 104之間的Wi-Fi連接。 For example, the control circuit 116 directly discards any authentication/association/reassociation request frame received during the period when the connected non-AP STA 104 operates in the power saving mode (i.e., before the non-AP STA 104 leaves the power saving mode (PS=0)), and does not process the payload of the received authentication/association/reassociation request frame. This can save AP resources. For another example, the control circuit 116 does not generate a specific frame in response to any authentication/association/reassociation request frame received during the period when the connected non-AP STA 104 operates in the power saving mode (i.e., before the non-AP STA 104 leaves the power saving mode (PS=0)), where the specific frame can be one of an authentication response frame, an association response frame, a reassociation response frame, and an SA query request frame. This can prevent unnecessary authentication response frames/association response frames/reassociation response frames/SA query request frames from occupying wireless medium resources. In addition, since the non-AP STA 104 in power saving mode cannot reply to the SA query response frame, the second attack prevention scheme prevents AP 102 from sending the SA query request frame, which can prevent AP 102 from accidentally terminating the Wi-Fi connection between AP 102 and non-AP STA 104.
如第3圖所示,第二防止攻擊方案保護AP 102在非AP STA 104操作在省電模式下的時段內免受來自攻擊者的認證/關聯/重新關聯泛洪攻擊。具體地,在連接的非AP STA操作在省電模式的情況下,第二防止攻擊方案具有處理認證/關聯/重新關聯泛洪攻擊的明確流程。 As shown in FIG. 3 , the second attack prevention scheme protects AP 102 from authentication/association/reassociation flood attacks from an attacker during the period when non-AP STA 104 operates in power saving mode. Specifically, the second attack prevention scheme has a clear process for handling authentication/association/reassociation flood attacks when the connected non-AP STA operates in power saving mode.
所屬領域的技術人員將容易地觀察到,在保留本發明的教導的同 時,可以對裝置和方法進行許多修改和改變。因此,上述公開應被解釋為僅受所附請求項的界限和限制。 Those skilled in the art will readily observe that many modifications and variations may be made to the apparatus and methods while retaining the teachings of the present invention. Accordingly, the above disclosure should be interpreted as being limited only by the terms and limitations of the appended claims.
雖然已經根據目前認為是最實用和優選的實施例描述了本發明,但是應當理解,本發明不必限於所公開的實施例。相反,它旨在涵蓋包括在應符合所附請求項的精神和範圍內的各種修改和類似佈置,從而涵蓋所有這些修改和類似結構。 Although the present invention has been described in accordance with what are currently considered to be the most practical and preferred embodiments, it should be understood that the present invention is not necessarily limited to the disclosed embodiments. On the contrary, it is intended to cover various modifications and similar arrangements that are included within the spirit and scope of the appended claims, thereby covering all such modifications and similar structures.
102:AP 102:AP
104:非AP STA 104: Non-AP STA
Claims (12)
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN202121055885 | 2021-12-02 | ||
IN202121055885 | 2021-12-02 | ||
US17/991,767 | 2022-11-21 | ||
US17/991,767 US20230180006A1 (en) | 2021-12-02 | 2022-11-21 | Attack prevention method for dealing with authentication flooding attack, association flooding attack, and/or reassociation flooding attack and access point using the same |
Publications (2)
Publication Number | Publication Date |
---|---|
TW202325055A TW202325055A (en) | 2023-06-16 |
TWI841070B true TWI841070B (en) | 2024-05-01 |
Family
ID=
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210227469A1 (en) | 2017-11-02 | 2021-07-22 | Lg Electronics Inc. | Method for transmitting or receiving frame in wireless lan and apparatus therefor |
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210227469A1 (en) | 2017-11-02 | 2021-07-22 | Lg Electronics Inc. | Method for transmitting or receiving frame in wireless lan and apparatus therefor |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9843579B2 (en) | Dynamically generated SSID | |
US10129755B2 (en) | Deauthenticating and disassociating unauthorized access points with spoofed management frames | |
US7881475B2 (en) | Systems and methods for negotiating security parameters for protecting management frames in wireless networks | |
US8750272B2 (en) | System and method for centralized station management | |
US7783756B2 (en) | Protection for wireless devices against false access-point attacks | |
KR101378647B1 (en) | Providing apparatus and method capable of protecting privacy mac frame in ieee 802.15.4 networks | |
WO2013122398A1 (en) | Method and apparatus for filtering-based scanning in wlan system | |
US7624271B2 (en) | Communications security | |
US20070060043A1 (en) | Wireless communication device and methods for protecting broadcasted management control messages in wireless networks | |
RU2003134279A (en) | OWN WIFI ARCHITECTURE FOR 802.11 NETWORKS | |
TWI307232B (en) | Wireless local area network with protection function and method for preventing attack | |
CN101405987A (en) | Asymmetric cryptography for wireless systems | |
US11962692B2 (en) | Encrypting data in a pre-associated state | |
TWI841070B (en) | Attack prevention method and access point using the same | |
WO2022228455A1 (en) | Communication method and related apparatus | |
KR100969782B1 (en) | Authentication method and apparatus using privacy key management protocol in wireless broadband internet system | |
WO2020009923A1 (en) | Key and packet number management for wakeup radio frames | |
US20230180006A1 (en) | Attack prevention method for dealing with authentication flooding attack, association flooding attack, and/or reassociation flooding attack and access point using the same | |
TW202325055A (en) | Attack prevention method and access point using the same | |
JP2008048212A (en) | Radio communication system, radio base station device, radio terminal device, radio communication method, and program | |
US10785703B1 (en) | Preventing connections to unauthorized access points with channel switch announcements | |
WO2020093860A1 (en) | Fake network device identification method and communication apparatus | |
US8117658B2 (en) | Access point, mobile station, and method for detecting attacks thereon | |
WO2018228681A1 (en) | Apparatus and method for communications | |
US11601813B2 (en) | Preventing wireless connections to an unauthorized access point on a data communication network using NAV values |